Recap of W3C’s Do-Not-Track Symposium

Last week I participated in the W3C’s Do-Not-Track symposium, which brought together a very broad cross-section of stakeholders interested in browser-based user preference mechanisms for data collection, aka “tracking.” The group convened primarily due to the submission of two inputs from Microsoft to the W3C and Mozilla to the IETF and the goal of the meeting was to begin discussions on the creation of open standards for the various protocols around tracking preferences for consumers.

We talked about how to define “tracking”, a debate with opinions that varied from “it doesn’t matter because this is a universal right of consumers” to “let’s align the focus of this work with actual consumer harm.” Given the complexity of the tracking ecosystem it became clear during our discussion that this ecosystem needs to be thoroughly mapped for the benefit of consumers and solution providers.

As we discussed the bits and bytes of how a Do Not Track (DNT) feature can work it became apparent to all in the room that user experience is critical in such a tool , especially in one that will require such a high degree of upfront consumer education.

The browser companies will play a critical role here and it was no surprise that SSL came up several times as another relevant browser-based trust model. P3P was mentioned, but did not receive the same level of attention – a good sign, since we all agreed we need to move fast to be relevant, forcing the need for simplification, something P3P did not accomplish.

In my panel on compliance we began to address some of the nuances of how to ensure that those companies participating in the tracking ecosystem are complying with user wishes and what the system would do with those companies that did not participate.

A couple of key points I shared in my short preso and panel discussion:

1) The systems we are discussing are essentially data systems and are, consequently, black boxes to external third parties. External verification systems can be used, but only as a first step. Some form of audit will be necessary to assure consumers of the system’s integrity.

2) Block-all systems are good choices, but only for some online users. More granularity is needed in the form of functional exceptions, desired types of systems to block and other one-off exceptions. Additional filters can be used to help elevate certified companies to present users with another choice if they would like to receive targeted ads, but only from companies they can trust.

3) Whitelisting can be an ingredient to help address those non-participating companies. Users can automatically block any company that is not participating as a first step.

4) Users are not looking to manage their privacy online as a primary task. Simplification is critical and trusted brands can help consumers manage this trust relationship.

5) Direct coordination is necessary with the DAA to ensure we are in lockstep with the self-reg program and its future iterations.

TRUSTe looks forward to continuing this discussion by sharing lessons learned in deploying solutions for privacy preference management, serving as the only trusted certification authority for privacy, and leveraging its strong consumer brand to help consumers understand this very nuanced privacy concept as it eventually rolls out.